1 of 5

Crypto

Randomness

Basically, there is an LCG being used to generate the string of numbers. It takes a seed, multiplies it with "a", adds "b", and then takes that mod a prime "p".

We don't know any of these values however. It generates a list of numbers from a starting random seed this way, and then xors each character of the flag to get a new list.

We know the flag format is "FwordCTF{", so we can start by XORing these characters to get the actual string of LCG generated numbers: [6680465291011788181, 5100570103593250306, 5906808313299165163, 1965917782737693404, 9056785591048864532, 1829758495155458643, 6790868899161600099, 1596515234863242753, 1542626304251881944] Now, we do some modular maths stuff:

6680465291011788181 a + b = 5100570103593250306 5906808313299165163 a + b = 1965917782737693404(all of these are taken mod p of course) 1596515234863242753 * a + b = 154262630425188194

We can subtract the equations from each other to get rid of the b: (6680465291011788181 - 5906808313299165163)a = 5100570103593250306 - 1965917782737693404 (5906808313299165163 - 1596515234863242753)a = 1965917782737693404 - 1542626304251881944

Simplifying:

773656977712623018a = 3134652320855556902
4310293078435922410a = 423291478485811460

Im using these from now because idk why the others arent working

5194353664298357346a = 53888930611360809
2265916691887264433a = 233243260292215890

Solve script:

p = 9444729917070668893
a = 7762244320486225184
b = 731234830430177597
X=[6680465291011788181]
c=0
while c<73:
    X.append((a*X[c]+b)%p)
    c+=1
o = ""
bleh = [6680465291011788243, 5100570103593250421, 5906808313299165060, 1965917782737693358, 9056785591048864624, 1829758495155458576, 6790868899161600055, 1596515234863242823, 1542626304251881891, 8104506805098882719, 1007224930233032567, 3734079115803760073, 7849173324645439452, 8732100672289854567, 5175836768003400781, 1424151033239111460, 1199105222454059911, 1664215650827157105, 9008386209424299800, 484211781780518254, 2512932525834758909, 270126439443651096, 3183206577049996011, 3279047721488346724, 3454276445316959481, 2818682432513461896, 1198230090827197024, 6998819122186572678, 9203565046169681246, 2238598386754583423, 467098371562174956, 5653529053698720276, 2015452976526330232, 2551998512666399199, 7069788985925185031, 5960242873564733830, 8674335448210427234, 8831855692621741517, 6943582577462564728, 2159276184039111694, 8688468346396385461, 440650407436900405, 6995840816131325250, 4637034747767556143, 3074066864500201630, 3089580429060692934, 2636919931902761401, 5048459994558771200, 6575450200614822046, 666932631675155892, 3355067815387388102, 3494943856508019168, 3208598838604422062, 1651654978658074504, 1031697828323732832, 3522460087077276636, 6871524519121580258, 6523448658792083486, 127306226106122213, 147467006327822722, 3241736541061054362, 8781435214433157730, 7267936298215752831, 3411059229428517472, 6597995245035183751, 1256684894889830824, 6272257692365676430, 303437276610446361, 8730871523914292433, 6472487383860532571, 5022165523149187811, 4462701447753878703, 1590013093628585660, 4874224067795612706]
for i in range(len(bleh)):
    o += chr(bleh[i] ^^ X[i])
print(o)

Flag: FwordCTF{LCG_easy_to_break!That_was_a_mistake_choosing_it_as_a_secure_way}

One Part!

RSA-CRT. We're given dp, which is d modulus p - 1. This is the exact same problem as Weirder RSA from picoCTF 2017, so I shamelessly copied the script and changed the parameters, revealing the flag

https://hgarrereyn.gitbooks.io/th3g3ntl3man-ctf-writeups/content/2017/picoCTF_2017/problems/cryptography/weirderRSA/weirderRSA.html

Flag: FwordCTF{i_knew_it_its_not_secure_as_i_thought}

BDBG

Boneh-durfee go brrrr and then you can reverse the other function easily since its just XOR

Flag: FwordCTF{boneh_and_blum?_mix3d_but_good_j0b!!}

Weird RSA

Each character of the plaintext is encrypted using a known N and unknown e, creating a ciphertext array we're given. Infact, the actual RSA behind it is completely irrelevant. All we need to know is that each character is mapped to a number via a mapping function which we cannot reverse. The ciphertext is 932 numbers long, with 31 unique numbers, making it the equivalent of a simple substitution cipher which we can easily break using frequency analysis.

I used this script(with the values already loaded in enc)

english_freq = [' ', 'E','T','A','I','N','O','R','S','L','H',
                'C','M','D','Y','P','U','W','F','G','.','V',
                'B','X','K',',','Q', 'Z', '\'', '0', '9']
freqenc = sorted(set(enc),key=enc.count,reverse=True)
mapping = {}
for num in freqenc:
    if freqenc.index(num) >= len(english_freq):
        mapping[num] = '-'
    else:
        mapping[num] = english_freq[freqenc.index(num)]
dec = ''
for num in enc:
    dec += mapping[num]
print(dec)

Which prints out:

DOEKHESYW RSRLWANA NA HAEU DIO GOERVNSF AHGATNTHTNIS YNMCEOA. TCE FESEORL NUER NA TI DNSU TCE MIMHLRO LETTEOA NS TCE YNMCEOTEXT RSU TOW TI OEMLRYE TCEP GW TCE YIPPIS LETTEOA NS TCE HAEU LRSFHRFE. TCE RTTRYVEO HAHRLLW YCEYVA AIPE MIAANGNLNTNEA RSU PRVEA AIPE AHGATNTHTNISA ID LETTEOA NS YNMCEOTEXT. CE LIIVA DIO MIAANGLE RMMERONSF BIOUA RSU GRAEU IS TCRT PRVEA PIOE AHGATNTHTNISA. HANSF YIPMHTEOA, NT NA MIAANGLE TI TOW R LIT ID YIPGNSRTNISA NS OELRTNQE ACIOT TNPE. BORM TCE DLRF NS NTA DIOPRT 0 BELLDOEKHESYWRSRLWANAOIYVA. DIO EXRPMLE, ND NS TCE RSRLW'EU YNMCEOTEXT TCE PIAT MIMHLRO LETTEO NA X, ISE PRW MOEUNYT TCRT X OEMLRYEU E IO I ZISE ID TCE PIAT MIMHLRO LETTEOA NS ESFLNAC9 DOIP TCE MLRNSTEXT. NT NA HAEDHL TI LIIV DIO MIMHLRO MRNOA ID LETTEOA IO EQES TOW TI MOEUNYT AIPE DOEKHEST LISFEO AEKHESYEA ID LETTEOA IO BCILE BIOUA. TCE NSTOHUEO RLBRWA TONEA TI DNSU AEKHESYEA ID LETTEOA BCNYC ROE IDTES HAEU NS TCE AELEYTEU LRSFHRFE.

I'm not sure why the output is wrong, but it can be chucked into a substitution cipher solver(https://www.guballa.de/substitution-solver) to get the real plaintext:

FREQUENCY ANALYSIS IS USED FOR BREAKING SUBSTITUTION CIPHERS. THE GENERAL IDEA IS TO FIND THE POPULAR LETTERS IN THE CIPHERTEXT AND TRY TO REPLACE THEM BY THE COMMON LETTERS IN THE USED LANGUAGE. THE ATTACKER USUALLY CHECKS SOME POSSIBILITIES AND MAKES SOME SUBSTITUTIONS OF LETTERS IN CIPHERTEXT. HE LOOKS FOR POSSIBLE APPEARING WORDS AND BASED ON THAT MAKES MORE SUBSTITUTIONS. USING COMPUTERS, IT IS POSSIBLE TO TRY A LOT OF COMBINATIONS IN RELATIVE SHORT TIME. WRAP THE FLAG IN ITS FORMAT 0 WELLFREQUENCYANALYSISROCKS. FOR EXAMPLE, IF IN THE ANALY'ED CIPHERTEXT THE MOST POPULAR LETTER IS X, ONE MAY PREDICT THAT X REPLACED E OR O ZONE OF THE MOST POPULAR LETTERS IN ENGLISH9 FROM THE PLAINTEXT. IT IS USEFUL TO LOOK FOR POPULAR PAIRS OF LETTERS OR EVEN TRY TO PREDICT SOME FREQUENT LONGER SEQUENCES OF LETTERS OR WHOLE WORDS. THE INTRUDER ALWAYS TRIES TO FIND SEQUENCES OF LETTERS WHICH ARE OFTEN USED IN THE SELECTED LANGUAGE.

From here we can see the flag is WELLFREQUENCYANALYSISROCKS wrapped in the flag format(you actually had to put it in lowercase too)

Flag: FwordCTF{wellfrequencyanalysisrocks}